---
title: Introduction
course: intro_pentest
section: Exploitation
layout: lesson
---

Exploitation is the process of gaining control over a system. This process can
take many different forms but for this course the en goal always remains the
same: administrative-level access to the computer. In many ways, exploitation is
the attempt to turn the target machine into a puppet that will execute your
commands and do your bidding. Just to be clear, exploitation is the process of
launching an exploit. An exploit is the realization of a vulnerability. Exploits
are issue or bugs in the software code that allow a hacker or attacker to alter
the original functionality of the software.

Of all the steps we cover, exploitation is probably the step aspiring hackers
are most interested in. It certainly gets a lot of attention because this phase
involves many of the traditional activities that people associate with “hacking”
and penetration testing. There are volumes of books that are dedicated to the
process of exploitation. Unfortunately, there are also volumes of misinformation
of regarding step 3. Stories from Hollywood and urban legends of famed hacker
exploits have tainted the mind of many newcomers. However, this doesn’t mean
that exploitation is any less exciting or exhilarating.

Of all the steps we discuss, exploitation is probably the least well defined and
most open to interpretation. When combined, these two qualities often bring
chaos and confusion to people trying to learn penetration testing and hacking.
The lack of order and structure in a penetration test often leads to frustration
and failure. It’s not uncommon for a novice to read about a new tool, or
listened to a speaker talk about some advanced technique that can be used to
gain access to a system, and want to jump directly to step 3 (exploitation).
However, it’s important to remember that penetration testing is more that just
exploitation. Fortunately, by following the process identified in this course of
by other solid penetration testing methodology, you can alleviate many of these
issues.

Because this course focuses on the basics, and as a final warning, it’s critical
to stress the importance of completing steps 1 and 3 prior tor conducting
exploitation. It can be tempting to bypass reconnaissance and scanning and jump
directly to this step. That’s OK for now, but if you are ever going to advance
your skills beyond the script kiddie lvel, you’ll need to master the other steps
as well. The failure to do so won’t only severely limit your ability to grow as
a penetration expert. Reconnaissance and scanning will help yo bring order and
direction to exploitation.

Ok. Now hat the speech is over, let’s put away the soapbox and get to the
business at hand: exploitation. As mentioned earlier, exploitation is the most
free-flowing phase we’ll cover. The reason for this example; each system is
different and each target is unique. Depending on a multitude of factors, your
attack vectors will vary from target to target. Different operating systems,
different services and different processes require different types of attacks.
Skilled attackers have to understand the nuances of each system they’re
attempting to exploit. As your skills continue to progress from Padawan to Jedi,
you’ll need toe xpand your knowledge of systems and their exploits. Eventually,
you’ll learn to create custom exploits.

You can use the previous step’s output as a guide for where to begin your
exploitation attempts. The output from scanning should be used to help shape,
focus and direct your attacks.
